Strategy: Security via Compliance

Regulatory and industry IT compliance initiatives generally involve security, but those who implement compliance and those responsible for enterprise security are often different people—and sometimes they’re at odds with each other.

What role should the security team play in any compliance effort? How can security teams leverage the resources and support given to compliance in order to improve overall enterprise security? And while compliance never equals security, how can enterprises maximize their efforts to ensure the best possible integration of the two?

To be effective, IT groups must truly understand and monitor regulatory requirements and take an active part in interpreting requirements and mapping them to controls. Furthermore, IT organizations need to recognize and embrace the fact that noncompliance, even in the absence of a breach, is a threat they must manage. IT needs to take on the mantel of compliance responsibility, expand its mindset to include compliance, and reap the benefits of a broad set of business drivers that can meet regulatory requirements and improve security.

In this report, we offer a “security’s eye view” of compliance, and discuss some critical points in building a good relationship between enterprise security and regulatory compliance.